Here is Part 2 of Lessons learned from the Equifax Breach. See Part 1.
Own up, make changes and say sorry:
According to Whois, Equifax registered their Equifax Security 2017 site (would Equifax insecurity have been a better name I wonder?) in late August. Incidentally, this is a month *after* they claim to have witnessed suspicious network traffic associated with their US online dispute portal.
Yet they only informed the world via a press release on September 7. In reading and digitally scanning their public-facing Equifax breach site for any we’re-really-sorry-we-screwed-up statements, I was woefully disappointed. Here is the only mea culpa I was able to locate, buried in the fifth section of the customer notice:
“Equifax is committed to ensuring that your personal information is protected, and we apologize to our consumers and our business customers for the concern and frustration this incident causes. If you have additional questions, please call our dedicated call center at 866-447-7559…, available from 7:00 a.m. to 1:00 a.m. Eastern time, seven days a week.”
To give credit where it is due, Equifax’s Chairman and CEO Richard F. Smith told USA Today on September 12, “We apologize to everyone affected. This is the most humbling moment in our 118-year history.”
The other issue of course is that a plethora if similar sounding websites, which were registered soon after Equifax Security 2017 was registered. It is not a stretch to assume that these are designed to phish those who are worried about what this data loss may mean for them personally.
List of new sites that have been registered in the last 30 days:
In a SNAFU as big as this one, it is vital to rebuilt trust for employees, shareholders and the public. One important ingredient to your rebuilding process is to own your mistakes and say sorry. A lot. Own up to the mistakes. A buried PR apology doesn’t pass muster.
I’d highly recommend investing in a 24-hour hotline. This situation has impacted millions of people internationally, and limiting inbound communications from worried victims seems cheap.
The final straw…so far
All the aforementioned aside, as a security pundit, I know that breaches can happen to anyone. Sure, some fortresses have bigger moats to cross, higher walls to scale, or a stronger army of defenders to contend with, but the clever, lucky and determined always have a degree of opportunity to walk away with the spoils.
If your firm found itself in a similar situation to Equifax’s, you’d like to assume you could turn to your leaders for, well, leadership.
How well does it bode for a firm’s reputation that key executives sell a glut of shares *after* the discovery of a breach, but *before* the breach is made public?
Let’s bring this home. In the Equifax case, CNBC news reported:
“The filings showed that the trio – Chief Financial Officer John Gamble Jr., workforce solutions president Rodolfo Ploder and U.S. information solutions president Joseph Loughran – offloaded the shares on August 1 and August 2…Equifax said on Thursday it discovered a data breach on July 29.”
How do the hundreds of million people, many of whom had never explicitly consented to have their PII held in Equifax *secure* servers feel about these head honchos capitalising during such a massive data disaster? Does it make any of us feel better that Equifax assure us their senior execs, including the CFO, didn’t know about the breach at the time of the sale?
I, for one, am thrilled the stench of all this has reached the noses of the SEC and these share sales are now under investigation.
How TBG Security can help
TBG Security provides quality penetration tests and risk assessments tailored to your specific needs. Whether you are a governing body, a financial institution, an insurer, a legal or accountancy firm, or a online provider, we can help.
Get in touch. We can chat about your needs and help you figure out the best approach for you.